From a341ab099e5aa53e5f69258e0c80326e01c880e8 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Thu, 10 Aug 2023 12:49:47 +0200
Subject: Disable TLS renegotiation

---
 qmail-remote.c | 2 ++
 qmail-smtpd.c  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/qmail-remote.c b/qmail-remote.c
index b5fd940..d0f2fc3 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -468,6 +468,8 @@ static int tls_init(struct ip_mx *current_mx)
     tls_quit_error("ZTLS error initializing ctx");
   }
   SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
+  /* TLS renegotiation is possible cpu resource attack */
+  SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
 
   /* we verify ourself below. see SSL_get_verify_result */
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index c4b498e..d97dfc5 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1334,6 +1334,8 @@ void tls_init()
   SSL_CTX_set_min_proto_version(ctx, min_ssl_version);
   SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |
                            SSL_OP_PRIORITIZE_CHACHA);
+  /* TLS renegotiation is possible cpu resource attack */
+  SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
 
   /* set the callback here; SSL_set_verify didn't work before 0.9.6c */
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb);
-- 
cgit v1.2.3